(_ line 5, delete "via the Internet to another MTA." and insert -4 as described in Request 

^^for Comments (RFC) 821, SMTP provides for the transfer of electronic niail from a sending SMTP 
agent to a receiving SMTP agent. SMTP is most commonly used with the Transmission Control 
Protocol/Internet Protocol (TCP/IP) to transfer email between Internet hosts known as Message 




Transfer Agents (MTAs).p 7 



PagPi 7, line 9, ddfTf^ "If m(] insf^rt -^described in RFC 822, Standard for the Format of 



(/^^ ARPA Internet Text Messages, the email message header^ 



Page 18, after line 17 



, ins^t 



—Figure 24 is a block diagram of the Active Filter proxy server system in accordance 
with the altemate preferred embodiment having an optional per-recipient 
whitelist database and quarantining. 

Figure 25 is an overview flow chart showing the processing of the MAIL From 
message with respect to the embodiment of Fig. 24. This includes the Active 
Filtering methods described in Figures 15-19, however, enforcement of the 
decision is made separately for each subsequent recipient identified in an 
RCPT message. 

Figure 26 is an overview flow chart of per-RCPT whiteUst processing for an 
individual recipient. The proxy connects to the local MTA after the first 
authorized recipient is identified. 

Figure 27 shows how the proxy quarantines a message that did not pass Active 
Filtering and is not whitelisted for the current recipient. 
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Figure 28 shows the processing of the remainder of the email message, beginning 
with the DATA transaction. An email message can be transferred directly to 
one group of recipients and also quarantined for the remainder of recipients. 

Figure 29 shows the retrieval of a quarantined message by a user or administrator, 
with the proxy transferring the quarantined message to the MTA as it would 
any other valid message. When a user retrieves a message from quarantine, 
the proxy deletes the blacklist entry for the sending host since the message 
was, in fact, desired by the recipient.--^ 



Page 22, line 7, chan^e^Taken" to —Token- 



Page 23, before line 9 inserTthe^paragraph - Vhe router 1101, firewall host 1 103 and mail 

server host 1 1 05 can also be installed on a single LAN 1 1 02. In this case, the firewall host 11 03 has 
a single physical LAN interface device that is shared by the two logical interface functions (message 
arrival, via the router 1101, and message dehvery to the mail server host 1 1 05). The use of a shared 
physical LAN interface is conceptually the same as shown in Figure 8, with the exception that the 
firewall host 1 103 cannot be configured to block packets from the Internet 1 100 to the mail server 
host 1 105. In this case, the router 1101 must be configured to block such direct access from the 
Internet to the mail server host 1 105j^^^ ~ ~ = — 



Page 27. after Hne 20 insert th e para graph -/ fhe administrator can configure the types of 

testing to be conducted by the proxy. The proxy reads the configuration database 1098 to determine 
the proper filtering modes. Thus, the administrator can set the configuration database 1098 to 
include flags for Active Dialup filtering. Active Relay fiUering on a reverse connection. Active User 
filtering, Bcc filtering, and/or to append a filter to the blacklist database 1095 when any filter finds 
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an email problem. The proxy filter will then conduct the appropriate filtering for the flags set in the 



configuration database 1098, but will not take any action for flags that are not set.)--. 



Page 28, lines 6-7, please d eletelhelines in their entirety and insert Jifthe results of the 
Active Dialup test are negative (that is, the proxy does not categorize the remote host as a dialup) 
or the results of the Active Relay test are indeterminate (the proxy is unable to successfully conclude 
Relay testing on that^^ 




Page 31, line 10. after "message." insert -^ n addition, the administrator can provide a 

^yc^ filtering configuration rule th at blocks mail from hosts that do not have a valid DNS configuration^y T 

Q Page 32, after line 13, insert the following paragraphs 

» However, the proxy can also provide other blackUsting approaches other 
than this type of long-term, IP-based blacklisting. For instance, the proxy can 
include blacklisting by domain name and short-term blacklisting for selected types 
of problems. Blacklisting by domain name is useful when an administrator observes 
a large amount of junk mail from a particular domain, e.g., ".KR" (Korea), but does 
not anticipate a need to receive any legitimate mail firom those domains. In this case, 
the configuration database 1 098 contains a list of pattems, and if the connection host 
name matches any of these pattems, the proxy closes the connection. 

Short-term blacklisting can be used to handle potentially temporary situations 
(such as remote hosts with bad DNS configurations) as well as to limit bursts or 
retransmissions of junk mail when long-term blacklisting is not desirable. Short-term 
blackUsting uses an additional blackUst file that is periodically cleared out by the 



operating system.^ " 
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, Page 34, line 2, after " ^ig^l." iny^ert filter proxy also ensures that the MAIL From 
addresses from selected large ISPs, such as AOL.com, HOTMAIL.com and YAHOO.com, must 
come from a host with the same name. This rejects a considerable amount of spam since spammers 
often forge addresses with well-known domain names. This aspect, however, is usually only usefiil 
for large ISPsp ~ 



line 23, delete "either" and "or the MAIL From domain,' 



Page 35, line L after "1405" insert -- l or if the MAIL From address matches an entry in the 

system whitelist^T 



Page 36, Hne 5, after "most" inserp-^these- 





tl Page 40, before line 1 9^ in gprt thp foUnwing -frhe. prnvy ran rnndHfir f^ithpr nnHfi nartif^g or 

'1^^^ complete host names in evaluating whether the remote host exists within a sequential name space. 
In general, it is more efficient to consider node names, however, an ISP can organize a dialup name 
space so that the sequential naming scheme occurs within an intermediate node of the name, such 
as the IP addresses 24.65.51.66 and 24.65.51.67 for the names 24.65.51.66.on.wave.home.com and 



24.65.5 1.67.on.wave.home.com;^spectivelyf ^ 

Page 53, hne 20, delete "defining smallhost.dom as a trusted domain, (3)"; 
rO ^ line 53, chang^/4" to --3--. 

Page 56, line 8, delete 'Yes_^erydomain()" insert -res_query()~. 
Page 58, lines 8-9, delete "trusted MAIL From domain (step 1417);". 



Page 59, lines 7-11, delete in their entirety and insert -Ji n an altemative preferred 



^ embodiment, the proxy keeps track of the number of recipients (both those accepted by the MTA 
and those rejected by the MTA) and issues an error message when the remote host exceeds the 
maximum number of recipients configured in the configuration database 1098./ -T ~" 

5 



